Gh0stRat

Rule Signatures
1

Hi!
We’ve got another gh0st, and here is the rule for it, built according to the template of the previous one sid:2048128 from @naumovax.

alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  [ANY.RUN] Win32/Gh0stRat Activity";
flow:established,to_server;
content:"|32 00 32 00 32 00 32 00 00 00|"; depth:25; fast_pattern;
content:"|78 9c|"; distance:4; within:2;
classtype: trojan-activity;
reference:md5,0d5e3beb1a973c68180cdc7b4c9be36b;
reference:url,app.any.run/tasks/bff76d98-1ed4-4503-a21b-7735bb0b7907;
sid: 1; rev: 1;)

Look at the traffic for new ideas,

for example, I got the idea to write about 1 byte content in the archive from the server.

alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive";
flow:established,to_client; 
dsize: <56;
content:"|00 0000 0100 0000 789c|"; depth: 24;
isdataat: !56;
classtype: trojan-activity;
reference:md5,0d5e3beb1a973c68180cdc7b4c9be36b;
reference:url,app.any.run/tasks/bff76d98-1ed4-4503-a21b-7735bb0b7907;
sid: 2; rev: 1;)

Best regards, Jane ೀ⋆。:tulip:

2 Likes
2

Awesome work @Jane0sint ! Here are those sids, have a great weekend!

2048477 - [ANY.RUN] Win32/Gh0stRat Activity 
2048478 - [ANY.RUN] Win32/Gh0stRat Keep-Alive
2 Likes
3

Hi, can I ask you to add a link to this discussion in the rules 2048477 2048478?
reference:url,community.emergingthreats.net/t/gh0strat/;
Sorry for the spam :bowing_woman:

4

Updated signatures will go out today! Thanks!

JT

2 Likes